This Privacy Policy is provided in Japanese as the authoritative version. The Japanese version shall prevail in case of any discrepancy.
Mitsugu Sugiuchi (hereinafter referred to as "the Company") hereby establishes this Privacy Policy (hereinafter referred to as "this Policy") regarding the handling of users' personal information in the project management service "WeProcess" (hereinafter referred to as "the Service") provided by the Company.
This Policy is intended to comply with the laws and regulations on personal information protection applicable to users of the Service in each country and region, including Japan's Act on the Protection of Personal Information and the EU General Data Protection Regulation (GDPR).
Article 1 (Information We Collect)
The Company collects the following information in providing the Service.
1. Information directly provided by users
Account registration information (name, email address, password, etc.)
Profile information (display name, icon image, etc.)
Payment information (credit card information, etc. However, payment processing is performed by Stripe, Inc., and the Company does not directly retain credit card numbers.)
Inquiry details (content of communications via email, telephone, etc.)
Team information (team name, email addresses of invited members, etc.)
2. Information automatically collected through use of the Service
Access logs (IP address, browser type, access date and time, referring URL, etc.)
Usage information (features used, operation history, usage duration, etc.)
Device information (OS, screen resolution, language settings, etc.)
Information collected through cookies and similar technologies
3. Information obtained from third parties
Information provided by external authentication services (such as Google) when creating an account using such services (name, email address, profile image, etc.)
Article 2 (Purpose of Use and Legal Basis)
The Company uses collected personal information for the following purposes. For users subject to the GDPR, the legal basis corresponding to each purpose of use is also indicated.
Purpose of Use
Legal Basis (GDPR)
1. Provision, operation, maintenance, and improvement of the Service
Performance of Contract
2. Account creation, authentication, and management
Performance of Contract
3. Billing and payment processing
Performance of Contract
4. Responding to user inquiries
Performance of Contract / Legitimate Interests
5. Sending notifications regarding the Service
Performance of Contract
6. Addressing violations of the Terms of Service
Legitimate Interests
7. Detection and prevention of unauthorized access and misuse
Legitimate Interests
8. Analysis of usage and improvement of service quality
Legitimate Interests
9. Development of new features and services
Legitimate Interests
10. Sending marketing and promotional communications
User Consent
11. Compliance with legal obligations
Legal Obligation
Article 3 (Disclosure of Personal Information to Third Parties)
The Company shall not provide personal information to third parties without the user's consent, except in the following cases.
When required by law
When necessary for the protection of life, body, or property of an individual, and when it is difficult to obtain the consent of the user
When particularly necessary for improving public health or promoting the sound development of children, and when it is difficult to obtain the consent of the user
When it is necessary to cooperate with a national or local government agency or a person entrusted by such agency in performing duties prescribed by law, and when obtaining the consent of the user may impede the performance of such duties
Article 4 (Provision to Outsourced Service Providers)
The Company may outsource all or part of the handling of personal information to external service providers to the extent necessary to achieve the purposes of use. In such cases, the Company shall exercise necessary and appropriate supervision over the outsourced parties to ensure the secure management of personal information.
The primary outsourced service providers for the Service are as follows.
Stripe, Inc. — Payment processing
Hosting service providers — Server operation and data storage
Analytics service providers — Analysis of usage
For outsourced parties handling data of users subject to the GDPR, the Company shall enter into data processing agreements pursuant to Article 28 of the GDPR and ensure appropriate protective measures.
Article 5 (Use of Cookies)
The Company uses cookies and similar technologies in the Service.
Cookies are classified into the following categories.
Category
Purpose
Consent Required
Essential Cookies
Cookies essential for the basic operation of the Service, such as maintaining login status and ensuring security
Not required (essential for service provision)
Functional Cookies
Saving user settings and preferences (language, theme, etc.)
Required
Analytics Cookies
Analysis and improvement of service usage
Required
For users accessing from the EEA (European Economic Area), the United Kingdom, or Switzerland, consent for the use of cookies other than essential cookies will be requested upon first access.
Users may change their cookie acceptance settings at any time through browser settings or the cookie settings screen. However, rejecting essential cookies may prevent the Service from functioning properly.
Article 6 (Security Measures)
The Company takes the following measures to prevent leakage, loss, or damage of personal information and to ensure the secure management of personal information.
Organizational security measures — Appointing a person responsible for the handling of personal information and clarifying the scope of personal information handled.
Technical security measures — Implementing technical measures such as encryption of communications (SSL/TLS), access control, and data encryption.
Physical security measures — Taking measures to prevent theft or loss of equipment and electronic media used to handle personal information.
Article 7 (Data Retention Period)
The Company retains personal information for the period necessary to achieve the purposes of use. The retention period is determined considering legal obligations, contractual necessity, and reasonable expectations of users.
Data handling after account deletion is as follows.
User Content — Retained for 30 days after account deletion, then deleted.
Account Information — Deleted promptly after account deletion. However, if retention is required by law, it will be retained for the period prescribed by such law.
Payment History — Retained for the period required by law (such as the Electronic Books Preservation Act).
Access Logs — Retained for a maximum of one year for security and fraud prevention purposes.
Article 8 (User Rights — Japan's Act on the Protection of Personal Information)
Under Japan's Act on the Protection of Personal Information, users may make the following requests to the Company. The Company shall respond within a reasonable period after confirming that the request is from the user themselves.
Request for disclosure — Users may request disclosure of their personal information held by the Company.
Request for correction, addition, or deletion — Users may request correction, addition, or deletion if the content of their personal information is inaccurate.
Request for suspension or erasure of use — Users may request suspension or erasure of use if personal information is being used beyond the scope of the purposes of use.
Data portability — Users may export their User Content through the account settings screen of the Service.
Article 9 (User Rights — GDPR)
Users residing in the EEA, the United Kingdom, or Switzerland have the following rights under the GDPR, in addition to the rights set forth in Article 8.
Right of access (Article 15) — The right to obtain a copy of personal data processed by the Company.
Right to rectification (Article 16) — The right to request rectification of inaccurate personal data.
Right to erasure (right to be forgotten) (Article 17) — The right to request erasure of personal data under certain conditions. The Company shall respond promptly, except where retention is necessary for compliance with legal obligations.
Right to restriction of processing (Article 18) — The right to request restriction of processing of personal data under certain conditions.
Right to data portability (Article 20) — The right to receive personal data provided to the Company in a structured, commonly used, and machine-readable format.
Right to object (Article 21) — The right to object to processing based on legitimate interests. Objections to processing for marketing purposes shall be accepted unconditionally.
Right to withdraw consent — The right to withdraw consent at any time for processing based on consent. Withdrawal of consent shall not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint with a supervisory authority — The right to lodge a complaint with the data protection supervisory authority of the user's country of residence regarding the Company's processing of personal data.
To exercise the above rights, please contact us through the inquiry desk described in Article 15. The Company shall respond within one month in principle. If the request is complex or numerous, it may be extended by an additional two months. In such cases, the user will be notified along with the reasons for the extension.
Article 10 (International Data Transfers)
If the servers of the Service or outsourced service providers are located overseas, users' personal information may be transferred outside of Japan.
When transferring personal data of users residing in the EEA, the United Kingdom, or Switzerland to a country that the European Commission has not recognized as having an adequate level of data protection, the Company shall implement one of the following safeguards.
Execution of Standard Contractual Clauses (SCCs) approved by the European Commission
Confirmation that the data transfer recipient has obtained appropriate data protection certification
Other appropriate safeguards recognized by the GDPR
Users may request details of the safeguards regarding data transfers through the inquiry desk in Article 15.
Article 11 (Use by Minors)
In Japan, consent of a legal representative is required for minors (under 18 years of age) to use the Service.
In the EEA, the United Kingdom, or Switzerland, parental consent is required for persons under 16 years of age to use the Service. However, if this age is lowered by the laws of a member state, the laws of that member state shall apply.
The Company does not intentionally collect personal information of persons below the above ages without parental consent. If it is found that personal information of such persons has been collected without parental consent, the Company shall promptly delete such information.
Article 12 (Handling of Information in the AI Assistant Feature)
Information entered by users in the AI assistant feature is used to generate responses for those users.
The Company does not use information entered by users in the AI assistant feature for AI model training purposes.
In providing the AI assistant feature, information may be transmitted to external AI service providers. In such cases, the Company shall enter into appropriate contracts with such providers and ensure the secure management of information.
When transmitting data of users residing in the EEA, the United Kingdom, or Switzerland to external AI service providers, the safeguards set forth in Article 10 shall be implemented.
Article 13 (Response to Data Breaches)
In the event of a personal data breach (leakage, unauthorized access, etc.), the Company shall promptly investigate the cause and endeavor to prevent the spread of damage.
When a situation requiring reporting arises under Japan's Act on the Protection of Personal Information, the Company shall report to the Personal Information Protection Commission and notify the affected users.
In the event of a breach involving data of users subject to the GDPR, the Company shall report to the competent data protection supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to pose a high risk to the rights and freedoms of users, the Company shall also notify the affected users without undue delay.
Article 14 (Changes to This Policy)
The Company may change this Policy due to amendments to laws, changes to the Service, or other reasons.
In the case of significant changes, the Company shall notify users at least 30 days prior to the effective date of the changes through notifications on the Service and email to the email address registered by the user.
For changes affecting users subject to the GDPR, the Company shall clearly explain the content of the changes and, where necessary, obtain consent again.
The revised Policy shall take effect on the effective date, unless otherwise specified by the Company.
Article 15 (Contact Information)
For inquiries regarding this Policy and requests for exercising rights related to personal information, please contact the following.
Business Operator: Mitsugu Sugiuchi
Address: Wind Ebisu Building 8F, 2-4-8 Ebisu-Nishi, Shibuya-ku, Tokyo 150-0021, Japan
Email: support@weprocess.site
Phone: 050-8896-2477
Users subject to the GDPR who are dissatisfied with the Company's response may lodge a complaint with the data protection supervisory authority of their country of residence.